01 Threats and goals

advertisement
Network Security:
Threats and Goals
Tuomas Aura
T-110.5240 Network security
Aalto University, Nov-Dec 2012
Outline
1.
2.
3.
4.
5.
Network security
Basic network threats: sniffing and spoofing
Role of cryptography
Security and the network protocol stack
Case study: email security
2
Network security
3
What is network security
Network security protects against intentional bad
things done to communication
Protect messages (data on wire) and communication
infrastructure
Network security goals:
Confidentiality — no sniffing
Authentication and integrity — no spoofing of data or
signaling, no man-in-the-middle attacks
Access control — no unauthorized use of network
Availability — no denial of service by preventing
communication
Privacy — no traffic analysis or location tracking
Who is the attacker?
We partition the world into the good and bad side
Honest parties vs. attackers
Good entities follow specification, bad ones do not
Different partitions lead to different perspectives on the security of
the same system
Typical attackers:
Curious or dishonest individuals — for personal gain
Hackers, crackers, script kiddies — for challenge and reputation
Political activists — for political pressure
Companies — for business intelligence and marketing
Security agencies — NSA, SVR, GCHQ, DGSE, etc.
Military SIGINT — strategic and tactical intelligence, cyber-war
Organized criminals — for money
Often, not all types of attackers matter to everyone
E.g. would you care if NSA/university/mom read your email?
6
Basic network threats:
sniffing and spoofing
7
Traditional network-security
threat model
Network
=
Attacker
End are nodes trusted, the network is unreliable
End nodes send messages to the network and receive messages
from it
Network will deliver some messages but it can read, delete,
modify and replay them
Metaphors: unreliable postman, notice board, rubbish basket
8
Basic network security threats
Traditional major threats:
Sniffing = attacker listens to network traffic
Spoofing = attacker sends unauthentic messages
Data modification (man in the middle) = attacker
intercepts and modifies data
Corresponding security requirements:
Data confidentiality
Data-origin authentication and data integrity
10
Man in the middle (MitM)
In the man-in-the-middle attack, the attacker is between the
honest endpoints
Attacker can intercept and modify data
→ combines sniffing and spoofing
On the Internet, a MitM attacker must
be at the local network of one of the end points
be at a link or router on the route between them, or
change routing to redirect the packets via its own location
Note: Just forwarding data between two endpoints (like a
piece of wire) is not an attack. What does the attacker gain?
18
Other network threats
What other threats and security requirements
are there on open networks?
Other threats:
Unauthorized resource use (vs. access control)
Integrity of signalling and communications metadata
Denial of service (DoS) (vs. availability)
Traffic analysis, location tracking
Lack of privacy
Software security
Not captured well by the traditional networksecurity model
19
Role of cryptography
20
Cryptographic primitives
Symmetric (shared-key) encryption for data
confidentiality
Block and stream ciphers, e.g. AES-CBC, RC4
Cryptographic hash function
E.g. SHA-1, SHA256
Message authentication code (MAC) for data
authentication and integrity
E.g. HMAC-SHA-1
Public-key (or asymmetric) encryption
E.g. RSA, ElGamal
Public-key signatures
E.g. RSA, DSA
Diffie-Hellman key exchange
Random number generation
Crypto Wars – some history
Until ‘70s, encryption was military technology
In ‘70s and ‘80s, limited commercial applications
American export restrictions and active discouragement
prevented wide commercial and private use
Reasons to ban strong encryption:
Intelligence agencies (e.g. NSA) cannot spy on encrypted
international communications
Criminals, terrorists and immoral people use encryption
In ‘90s: PGP, SSL, SSH and other commercial and opensource cryptography became widely available
Activists argued that cryptography was a tool for freedom
Researchers argued that weak crypto is like no crypto
Encryption became necessary for business on the Internet
Most export restrictions were lifted in 2000
22
Security and the network
protocol stack
25
Protocol Stack and Security
Application
E.g. email: PGP, S/MIME
Middleware
E.g. XML Encryption
TCP, UDP, ... (transport)
IP (network)
TLS/SSL, SSH
IPSec
Ethernet protocol
802.1X, WEP
Physical network
Security solutions exist for every protocol layer
Layers have different security and performance tradeoffs, trust relations and endpoint identifiers
26
End-to-end security
Security should be implemented between the endpoints
of communication. All intermediaries are part of the
untrusted network
End-to-end security only depends on the end nodes
Hop-by-hop (link-layer) security assumes all routers are trusted
and secure
End-to-end security protocols are independent of the
network technology at intermediate links
Link-layer security is different for each link type
Confidentiality and authentication are usually user or
application requirements
Network or link layer only cannot know application-level
requirements
But link and network layer infrastructure and signalling
need protection, too
28
Endpoint names
Authentication and integrity depend on names
(identifiers)
Each protocol layer has its own way of naming
endpoints:
Ethernet (MAC) addresses in the link layer
(e.g. 00-B0-D0-05-04-7E)
IP address in the network layer
(e.g. 157.58.56.101)
TCP port number + IP address
DNS or NetBIOS name in the higher layers
(e.g. vipunen.tkk.fi)
URI in web pages and services
(e.g. http://www.example.org/myservice)
29
Email security
Security requirements
What kind of security is needed for email?
Confidentiality?
Authentication?
Non-repudiation?
PGP, S/MIME
Time stamping?
Mandatory access control, DRM?
Spam control?
Phishing prevention?
Anonymity?
We use email security as the first example because it is
a fairly straightforward application of crypto and allows
us to introduce many basic concepts
Crypto does not solve all email security problems
32
Internet email architecture
DNS
Query for
MX record of
contoso.com /
Response:
mail.contoso.com
Internet
IMAP, POP3,
webmail, or
proprietary
protocol
SMTP
Server
exchange.example.com
Sender
alice@example.com
SMTP or
proprietary
protocol
Server
mail.contoso.com
Receiver
bob@contoso.com
Alice sends mail to bob@contoso.com
Where are the security vulnerabilities?
33
Pretty Good Privacy (PGP)
Extra reading material
34
Sign, compress, encrypt
Alice’s
private
key PK-1A
h(M)
Sign
Bob’s
public
Key PKB
Bob’s
private
Key PK-1B
Encrypt
(asymm.)
Decrypt
(asymm.)
SignA(M)
Hash
M
Fresh
random
session
key SK
||
EB(SK)
Compress
Encrypt
(symm.)
Authentication
||
Verify
Hash
Ok?
SignA(M)
M
split
Insecure
network
h(M)
SK
ESK(Z(M, SignA(M))),
EB(SK)
Encryption
Sender Alice
EB(SK)
Alice’s
public
key PKA
Decrypt
(symm.)
Decompress
Decryption
M
split
Authentication
Receiver Bob
Sender and receiver need to know each other’s public keys
Options to encrypt only or to sign only:
Possible to sign without knowing receiver’s public key, or when
sending to a mailing list
Possible to encrypt without identifying sender
35
Example: PGP-encrypted message
-----BEGIN PGP MESSAGE----Version: GnuPG v1.4.8
Comment: Encrypted secret message.
hQEOA1e+1x6YuUMCEAQAoST1l/obnXOB6fhIhmLnGVLhuxmsksKD+Efyk7ja9gOx
U5X98/25ZVDQz0EiOkRjW2LChuZt9Kesh1DSIRwB/llXCm3pbNX/V+ajkL4Fzxlw
jWCCedv527SUNTUP70lhLbh4O2kHHxMdEn41zVo9TPUgtQ1BIo32k/xP2RYtPCEE
AJDhcyp+COLaI4idibfSrDDtYcT+hVVFVveIteTIcznoUoS1yVyipE4mBwa380c6
TiwImq63hOhs62c9BOQv7G9cnaqEZNg0nLiVZD+K/JeN00zILm+TzdWZxrW019nA
+tsMwznUZ2V/kQZjS9xkPWjn7ZzPTyW6gLhjWQNlr93S0lcBT0CJy285ixFz9UrJ
qjK2azsBdXRcVuXFdh84LW1E/8/8DwdLgSK9X/jPNv3/WGLA4Ez2xTFIUorVi5Xe
M9dpriEQ0Jg2msnz2bjqRGZliXXo6m8ye/A=
=YWDi
-----END PGP MESSAGE-----
“Meet me in the park at 6 PM.”
37
ASCII armor headers
for sending in text email
PK-encrypted
session key EB(SK)
(may repeat for
multiple recipients)
For quick check of
successful decryption
Unix time (seconds
since 1 Jan 1970 UTC)
For quick check
of the hash
Encrypted
Message
ESK(…)
ASCII armor checksum
Typical PGP message
-----BEGIN PGP MESSAGE----Version: GnuPG v1.4.8
Recipient key id
Session key SK
EB
Random block (IV)
+ 2 repeating bytes
Signature type
Signing time
Signer key id
2 bytes of hash
RSA/DSA signature
Radix-64
Hash
&SignA
Zip
ESK
Data
=ojUK
-----END PGP MESSAGE-----
38
Radix-64 encoding
Use safe ASCII characters to represent values 0..63:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv
xyz0123456789+/
Encode each 3 bytes as 4 characters:
+--first octet--+-second octet--+--third octet--+
|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
+-----------+---+-------+-------+---+-----------+
|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|
+--1.char---+--2.char---+--3.cahr---+--4.char---+
If the data length is not divisible by 3, pad with one
or two = characters to indicate actual length
41
S/MIME
PGP is mainly used by private persons and academia
S/MIME is a similar standard used primarily by
enterprises, e.g. Outlook
Message structure based on the MIME standards
 Envelopes and signatures are new MIME types
→ Base64 encoding
42
Non-repudiation
Proof of authenticity to third parties
Email sender cannot later deny sending the message
(i.e. cannot repudiate the message)
Third party, such as a judge, is needed to make the decision
The public key must be somehow registered to bind it to the
person signing
Uses:
Accountability for sent messages
Contract signing
Questions:
Does the sender of an email want to go do extra work in order
to be accountable for the emails he sends?
→ Little motivation to sign messages
Are business contracts signed using secure email?
43
Related reading
William Stallings, Network security essentials:
applications and standards, 3rd ed.: chapter 1
William Stallings, Cryptography and Network
Security, 4th ed.: chapter 1
Dieter Gollmann, Computer Security, 2nd ed.
chapter 13; 3rd ed. chapters 16.1, 17.1
Ross Anderson, Security Engineering, 2nd ed.:
chapter 6
45
Exercises
Design a more spoofing-resistant acknowledgement scheme to replace TCP
sequence numbers. Hint: use random numbers (and maybe hashes) to ensure
that acknowledgements can only be sent by someone who has really seen the
packets
Which applications of hash functions in network protocols require strong
collision resistance? Which do not?
Why is link-layer security needed e.g. in WLAN or cellular networks, or is it?
To what extent are the identifiers in each protocol layer of the TCP/IP stack
unique? Does one layer in the protocol stack know the identifiers of other layers?
How do the properties of these identifiers differ:
IP address, DNS name, email address, person’s name, company name, national
identity number (HETU)
How to prevent SMTP spoofing without end-to-end cryptography? What can be
filtered at SMTP servers and what cannot?
Does signing of emails help spam control?
Install an OpenPGP implementation (e.g. GPG). How do you check that the binary
or source code has not been tampered with? Would you use PGP itself to verify
the signature or fingerprint on the installation package?
46
Download